All:
If you are involved with the Mil-OSS organization hosted on GitHub,
or really doing anything on GitHub, *please* enable 2FA on your GitHub account soon.
At least use SMS, and ideally something better.
There are lots of TOTP solutions (Authy is one). You can also use hardware tokens
(I recommend adding multiple tokens, in case one breaks).
I realize that this can be a pain for some of those in restricted environments.
However, 2FA really does counter most password-based attacks.
GitHub is going to *require* 2FA for active developers at the end of 2023:
https://www.bleepingcomputer.com/news/security/github-to-require-2fa-from-active-developers-by-the-end-of-2023/
If nothing else, you could use one-time passwords as the second factor
when you're in a restricted environment.
I'd like to require 2FA on anyone in the mil-oss GitHub organization,
if that makes sense to the group. Anyone for or against?
--- David A. Wheeler